September 6, 2019 third party data breach exposes CVs

By Robert Scammell

A third party with links to recruitment site Monster has left job seeker résumés and CVs exposed on an online server, exposing personal data.

The personal details include names, phone numbers, home addresses, email addresses and prior work experience.

TechCrunch, which first reported the breach, said that most exposed CVs were of people located in the US and spanned between 2014 and 2017.

The exact number of compromised files is unclear, but one folder contained “thousands of résumés”.

Monster said the database was secured in August, shortly after it was first reported.

In a statement to TechCrunch, Monster’s chief privacy officer Michael Jones said:

“The Monster Security Team was made aware of a possible exposure and notified the recruitment company of the issue.”

Monster added that it the responsibility of its customers that purchased the data to protect candidate résumés and CVs, as well as notify them in the event of a breach.

Security risks of exposed CVs

Security experts warned that the exposed personal data could, in the wrong hands, be used for a range of nefarious purposes.

“The personally identifiable information (PII) typically found on a résumé can lead to account hijacking and highly targeted phishing attacks if it falls into the wrong hands,” said Vinay Sridhara, CTO at cybersecurity firm Balbix.

“In fact, a threat actor can have password reset codes sent to a compromised phone number or email for far more sensitive accounts – both personal and professional.”

Erich Kron, security awareness advocate for cybersecurity awareness training provider KnowBe4, highlighted the lack of transparency around how CVs are used after the recruitment process is over.

“This is a lesson in how data can spread without people being aware of it,” he said.

“In this case, when we put our job history, resume and/or CV on these types of sites, we should assume that organisations are going to collect them as they review and use them for job considerations.

“Where things get murky is what happens with the information after it is used, and ensuring it was used in a proper manner in the first place. Currently, in the US, people are often completely unaware when data is processed by a third party. This is something that GDPR is designed to address.”

Read more: Exposed Facebook phone numbers risk SIM jacking and robocalls